MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89
SHA3-384 hash: 82bd7c5c3af8d4b3486091492f8956f85a70ce23e0549fd2df866773bf48260fcc81d56797793ce023c4ee75b24ff2ff
SHA1 hash: b5ecee6fd39b1b89a1246842bdb93b34d6a3637e
MD5 hash: daf6c083b09bbd7db92bd975933097b8
humanhash: failed-arizona-robin-quebec
File name:SWIFT copy 27092023.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:651'264 bytes
First seen:2023-09-27 13:14:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:M6LyiRJU/Wcj1XdosluhJFkin+93RGWPjQaz6W5i8Nc5bz9efDK0Z:RmFeQ8sgkG+hRB7QTKiq80Z
Threatray 301 similar samples on MalwareBazaar
TLSH T183D4022072FC4B96E5BE87F248665918AB7276AE341AF74C0DC3B1DE11A5F408710FA7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00e49a72729ae400 (9 x AgentTesla, 4 x SnakeKeylogger, 3 x Loki)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SWIFT copy 27092023.exe
Verdict:
Malicious activity
Analysis date:
2023-09-27 13:14:59 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/98ecf5e4-5a64-48ef-b6cb-9e4951193418

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451594/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2402.31480.19432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65142ad933582f234e049472/reports/8664ad46-63f7-4a8e-b3ea-734766c4dce9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcea3cb5-dd10-4bdb-a9d7-32b5b8c8ecd6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315266
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1315266 Sample: SWIFT_copy_27092023.exe Startdate: 27/09/2023 Architecture: WINDOWS Score: 100 56 tse1.mm.bing.net 2->56 76 Snort IDS alert for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 9 other signatures 2->82 11 SWIFT_copy_27092023.exe 7 2->11         started        15 siXxtIC.exe 5 2->15         started        signatures3 process4 file5 52 C:\Users\user\AppData\Roaming\siXxtIC.exe, PE32 11->52 dropped 54 C:\Users\user\AppData\Local\Temp\tmp3F7.tmp, XML 11->54 dropped 94 Uses schtasks.exe or at.exe to add and modify task schedules 11->94 96 Writes to foreign memory regions 11->96 98 Allocates memory in foreign processes 11->98 100 Adds a directory exclusion to Windows Defender 11->100 17 RegSvcs.exe 11->17         started        20 powershell.exe 19 11->20         started        22 schtasks.exe 1 11->22         started        102 Multi AV Scanner detection for dropped file 15->102 104 Injects a PE file into a foreign processes 15->104 24 RegSvcs.exe 15->24         started        26 schtasks.exe 15->26         started        28 RegSvcs.exe 15->28         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 17->68 70 Maps a DLL or memory area into another process 17->70 72 Sample uses process hollowing technique 17->72 74 2 other signatures 17->74 30 explorer.exe 2 1 17->30 injected 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        process9 dnsIp10 62 rhoheritage.com 108.167.164.101, 49848, 80 UNIFIEDLAYER-AS-1US United States 30->62 64 brand-wise.net 154.49.245.79, 49846, 80 IDOMTECHNOLOGIES-ASFR United States 30->64 66 15 other IPs or domains 30->66 106 System process connects to network (likely due to code injection or exploit) 30->106 108 Performs DNS queries to domains with low reputation 30->108 40 rundll32.exe 11 30->40         started        44 control.exe 30->44         started        46 autoconv.exe 30->46         started        signatures11 process12 dnsIp13 58 www.hjjkk89.xyz 40->58 60 hjjkk89.xyz 40->60 84 System process connects to network (likely due to code injection or exploit) 40->84 86 Performs DNS queries to domains with low reputation 40->86 88 Modifies the context of a thread in another process (thread injection) 40->88 90 Maps a DLL or memory area into another process 40->90 48 cmd.exe 40->48         started        92 Tries to detect virtualization through RDTSC time measurements 44->92 signatures14 process15 process16 50 conhost.exe 48->50         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 03:46:49 UTC
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzmclryhwl6q3fzk5hjegflbxeqv3zjzqrrdft7um3frdyqltweq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
1ea71cc88a132a7b8e02d09af736d609ef82d466b84e5e31a5354005c5442d84
Formbook
4b3919bc8ab3c523d2cc6c48a0279cf72d39de65e3ef428b922461f833e6ad4d
Formbook
5bfe901c956128c642b0755659fc7eeb2b04651323ad2caea133f37a3ce94946
Formbook
600c30b088b6655db33aaaa2be4f393b4861b5101a674c54a30fb734d5708410
Formbook
638619c26cc20f590052a8dac6eabcc3b0dd6dcdd7f48832a36a1b0d983ae77f
Formbook
c76afbbf6fa00b8a5a2826a1104bb2b6468e6df5610e596f737086687ab96ff8
Formbook
ce3a3c9f22255146152575aa50fc9f5f1ef3f8c96b9b94cd766301045f846612
Formbook
ebf0eb7fbb57169b6d1584235c63321857ca13207ba40e374aa8c6540da1ea74
Formbook
+ 291 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r65e rat spyware stealer trojan
Link:
https://tria.ge/reports/230927-qg8z7acb85/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Formbook payload
Formbook
Unpacked files
SH256 hash:
6a1ac4936f4be1f2c511081cb5e74a6450889f8cf17f797eafa052d9ebc01ace
MD5 hash:
2b032fed1a53427bf06ca64cf423561f
SHA1 hash:
145eef779100e93885882fc1303c38845fcb55e2
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2642dd48-3ca9-42c9-be24-187f18d0fb96/
SH256 hash:
a655be43f79d44bf3e6720e6e1aa99b8fd94785cd46707d9a0dd48a10e4d20c8
MD5 hash:
7c2c98a1bc1af93e1bc1e0c933915b8e
SHA1 hash:
c5c3a2e553fdfa9010cf11b582fe3399c5551ffd
Link:
https://www.unpac.me/results/2642dd48-3ca9-42c9-be24-187f18d0fb96/
SH256 hash:
cc5758197945d010a4152611ccb5fe479ac3414e13e4d77d00567b7a01610348
MD5 hash:
a4214e5b16577fd6fc3cc0e46b93b650
SHA1 hash:
95d1307f80a9985d0919257d3f3165972ccba140
Link:
https://www.unpac.me/results/2642dd48-3ca9-42c9-be24-187f18d0fb96/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/2642dd48-3ca9-42c9-be24-187f18d0fb96/
SH256 hash:
be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89
MD5 hash:
daf6c083b09bbd7db92bd975933097b8
SHA1 hash:
b5ecee6fd39b1b89a1246842bdb93b34d6a3637e
Link:
https://www.unpac.me/results/2642dd48-3ca9-42c9-be24-187f18d0fb96/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be5825c707b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be5825c707b2fd0d972ae9d2431561b9215de539846232cff466cb11e20b9d89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/451594/

Comments